[Prewikka] Error "Origin check failed" when using a TLS termination reverse proxy
Added by Christophe D. almost 3 years ago
Hello,
First of all, let me share a few information regarding the context:- The OS:
# hostnamectl | grep -i system Operating System: CentOS Linux 7 (Core)
- Prewikka was installed with the package manager (yum):
# rpm -qa | grep -i prewik prewikka-5.2.0-4.el7.x86_64 python2-prewikka-5.2.0-4.el7.x86_64
- How Prewikka is started using the systemd service script:
# grep -i execstart /usr/lib/systemd/system/prewikka.service ExecStart=/usr/sbin/prewikka-httpd -a 127.0.0.1
- Apache version:
# httpd -v | grep -i version Server version: Apache/2.4.6 (CentOS)
- Apache configuration file for Prewikka:
# cat /etc/httpd/conf.d/prewikka.conf <VirtualHost *:80> ServerName xxxxxxxxxxxxx DocumentRoot/var/www/html/ RewriteEngineOn RewriteCond%{HTTPS} !=on RewriteRule^(.*)$ https://%{HTTP_HOST}$1 [R=301,L] </VirtualHost> <VirtualHost *:443> ServerName xxxxxxxxxxxxx DocumentRoot /var/www/html Header always edit Set-Cookie "(?i)^((?:(?!;\s?secure).)+)$" "$1; secure" Header onsuccess edit Set-Cookie "(?i)^((?:(?!;\s?secure).)+)$" "$1; secure" ProxyPass / http://127.0.0.1:8000/ ProxyPassReverse / http://127.0.0.1:8000/ ProxyPreserveHost Off ProxyRequests Off ProxyTimeout 600 RequestHeader set Origin "127.0.0.1:8000" RequestHeader set Host "127.0.0.1:8000" RequestHeader set X-Forwarded-Proto "https" RequestHeader set Referer "" SSLCertificateFile /etc/ssl/certs/apache-selfsigned.crt SSLCertificateKeyFile /etc/ssl/certs/apache-selfsigned.key SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20 -POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384 SSLCompression Off SSLEngine On SSLHonorCipherOrder On SSLProtocol All -SSLv2 -SSLv3 -TLSv1 -TLSv1.1 Timeout 360 UseCanonicalName on </VirtualHost>
Now, when I access Prewikka using https://xxxxxxxxxxxxx, using the TLS termination reverse proxy installed and configured locally (ie. on the same machine as Prewikka), I get the below error message for some actions:
Error: Origin check failed
Details:
except Exception as err: raise autherr or err if view_object.view_require_session and autherr:
/usr/lib/python2.7/site-packages/prewikka/main.py, line 285:
raise autherr or err
/usr/lib/python2.7/site-packages/prewikka/main.py, line 301:
response = self._process_static(webreq) or self._process_dynamic(webreq)
The actions are, for instance:
- Update the password of an existing user
- Create a new user
- Change the period of the alerts I would like to display
I tried with Apache configured without TLS and I did not get this error. Any idea?
Thank you in advance for your help.
Regards,
Replies (5)
RE: [Prewikka] Error "Origin check failed" when using a TLS termination reverse proxy - Added by Francois POIROTTE almost 3 years ago
Hello,
Prewikka uses cookies bound to the application's host/path to prevent Cross-Site Request Forgery (CSRF) attacks.
Apache does not rewrite the cookies in HTTP requests/responses by default, hence the error.
See the ProxyPassReverseCookieDomain
and ProxyPassReverseCookiePath
options inside Apache's documentation for more information on how to rewrite the cookies' host & path.
In addition, you should not set headers manually as it may interfere with functionalities of the HTTP protocol or your Internet browser (e.g. CORS).
Best regards,
François
RE: [Prewikka] Error "Origin check failed" when using a TLS termination reverse proxy - Added by Christophe D. almost 3 years ago
Thank you François. I will try that and keep you posted.
Regards,
RE: [Prewikka] Error "Origin check failed" when using a TLS termination reverse proxy - Added by Christophe D. almost 3 years ago
Hello,
Tested (ie. ProxyPassReverseCookieDomain & ProxyPassReverseCookiePath) but unsuccessful. As stated in my previous message, I do not get this error when I use the same setup but without the TLS configured on the Apache reverse proxy.
Any idea is welcome.
Regards,
RE: [Prewikka] Error "Origin check failed" when using a TLS termination reverse proxy - Added by Francois POIROTTE almost 3 years ago
Hello,
I finally had time to test a similar setup (with nginx).
From my investigation, when prewikka-httpd is used to run Prewikka, the application only sees the request made to prewikka-httpd and uses that to check the requests' origin. That is to say, it is not meant to be run through a reverse proxy.
- Do not run prewikka-httpd behind a reverse proxy.
- You could either expose prewikka-httpd directly (it supports TLS certificates through the
--key
and--cert
option), though I would recommend against it for performance reasons. - Instead, you could also run Prewikka through
mod_wsgi
. This is usually the recommended approach. See this page for more information.
- You could either expose prewikka-httpd directly (it supports TLS certificates through the
- If you really want to use prewikka-httpd with a reverse proxy, you will need to rewrite the original
Origin
andReferer
HTTP headers to match the origin expected by Prewikka, but only when the original value matches the expected value/prefix (this is necessary to prevent potential security issues). For nginx, this can be done with a configuration similar to the following inside alocation
block:set $new_origin $http_origin; if ($http_origin = "https://prelude.example.com") { set $new_origin "http://127.0.0.1:8000"; } proxy_set_header Origin $new_origin; set $new_referer $http_referer; if ($http_referer ~ "^https://prelude\.example\.com(.*)$") { set $new_referer "http://127.0.0.1:8000$1"; } proxy_set_header Referer $new_referer;
In this example, nginx is listening for HTTPS requests on the vhostprelude.example.com
, while prewikka-httpd is listening for HTTP requests on 127.0.0.1:8000. I think a similar configuration can be defined for Apache:# This requires mod_headers RequestHeader edit* Origin "^https://prelude\.example\.com" "http://127.0.0.1:8000" RequestHeader edit* Referer "^https://prelude\.example\.com" "http://127.0.0.1:8000"
Best regards,
François
RE: [Prewikka] Error "Origin check failed" when using a TLS termination reverse proxy - Added by Christophe D. almost 3 years ago
Hello and thank you François. I will keep you posted.
Regards,